Was there a change between 8.5.1 and 8.6.0 to reduce the number of reported Java issues?

I read Why are so many rules inactive by default? so I am aware that there is a rationale for not having all rules active by default.

However, I am trying to understand if there was a significant change to the number of active rules in the Sonarway Java QP as of release 8.6.0, as the number of detected issues dropped after upgrading.

For our project, the change in the number of reported issues (by type):

Bugs: down 18%
Vulnerabilities: down 69%
Code Smells: down 65%

The change in vulnerabilities is the most concerning but the comments I make below apply to other types as well. We happened to have in flight changes to remediate rule java:S2384, which was a source of much of the “improvement” since it is now inactive in the QP (so our in progress PR doesn’t actually improve the measured code quality now).

I don’t see how one can justify having ready (non deprecated) vulnerability rules that are inactive. I see that there only seem to be 6 of them, but they have tags that mark them as part of owasp top 10, etc. If they are really not useful for most projects, should they still be tagged like that? Or considered to be ready?

Perhaps these changes were made to lower the number of reported vulnerabilities, but if that is the goal, why not simply have two (or more) QPs. “Lenient Sonarway” and “Strict Sonarway”. For my company, I would rather see more vulnerabilities reported and then we can selectively deactivate ones that we do not feel make sense in our organization than the other way around (our QP extends Sonarway). I imagine others are of the same mindset.

Now, after every upgrade, it seems that I will have to go in and check which rules have been made inactive to the builtin QPs. Maybe the release notes can publish the list of such changes so that it makes it easier to understand the impact of upgrading?

Hi @andrew-garland,

For upgrade notes for SonarJava 6.9, which was released with SonarQube 8.6, you can see the notes here: Release Notes for SonarJava 6.9

You can click on “Configure Release Notes” to get the release notes for older versions of SonarJava. Which version of SQ did you upgrade from?

Regarding S2384, you can search our Jira board for more information of changes here and filter them by Fix Version, etc. to see changes between versions.


Thanks for the reply. I upgraded from 8.5.1

The link to the bug fixes was helpful as well, I see the rule I pointed out will be switched from vulnerability to code smell when sonarqube updates to SonarJava 6.11

It would be nice if the sonarqube release notes included a summary of the versions of the embedded scanners, so one could tell at a glance if SonarJava or other scanners were updated. I couldn’t find any documentation or indication in the list of issues (Release Notes - SonarSource) that indicated the SonarJava version was changed in 8.6.0

1 Like